Project

Messaging APIs

Servers and tools

Resources

CVE-2016-4974

Severity

Moderate

Affected components

Qpid JMS

Affected versions

0.9.0 and earlier

Fixed versions

0.10.0 and later

Description

Deserialization of untrusted input while using JMS ObjectMessage.

When applications call getObject() on a consumed JMS ObjectMessage
they are subject to the behaviour of any object deserialization during
the process of constructing the body to return. Unless the application
has taken outside steps to limit the deserialization process, they
can't protect against input that might try to make undesired use of
classes available on the application classpath that might be
vulnerable to exploitation. In order to exploit this vulnerability, an
attacker would need to be able to inject a suitably crafted AMQP
message containing the malicious JMS Object Message into the AMQP
message network. For this, the attacker would require valid
authentication credentials and suitable authorisation.

Mitigation

Users using ObjectMessage can upgrade to Qpid JMS client 0.10.0 or
later, and use the new configuration options to whitelist trusted
content permitted for deserialization. When so configured, attempts to
deserialize input containing other content will be
prevented. Alternatively, users of older client releases may utilise
other means such as agent-based approaches to help govern content
permitted for deserialization in their application.

Credit

This issue was discovered by Matthias Kaiser of Code White
(www.code-white.com).